The patching level for Microsoft Exchange Servers that are vulnerable to the Proxy Logon group of security bugs has reached 92%, states Microsoft.
Vast numbers of companies were likely compromised before patches were applied, so the danger remains.
Microsoft tweeted out the stat earlier this week – though of course patching will not fix already-compromised machines. Still, that is an improvement of 43% just since last week, Microsoft pointed out (using telemetry from RiskIQ).
Remote Code Execution
Proxy Logon consists of 4 flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be put together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials.
This gives them access to email communications & the opportunity to install a web shell for further exploitation within the environment.
The news on patching comes as a whirlwind of Proxy Logon cyber-attacks has hit companies across the globe, with multiple advanced persistent threats (APT) & possibly other adversaries moving quickly to exploit the bug.
A number of public proof-of-concept exploits has made matters worse, & F-Secure stated on Sun. that hacks are occurring “faster than we can count,” with 10s of 1,000s of machines compromised.
“To make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server,” according to F-Secure’s writeup.
“There is even a fully functioning package for exploiting the vulnerability chain published to the Metasploit application, which is commonly used for both hacking & security testing. This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic script kiddies.”
The attackers are using Proxy Logon to carry out a range of attacks, including data theft and the installation of malware, such as the recently discovered “Black Kingdom” strain. According to Sophos, the ransomware operators are asking for $10,000 in Bitcoin in exchange for an encryption key.
Patching Remains Tough
The investigation team found 62,174 potentially vulnerable unpatched Microsoft Exchange Servers around the world, as of Wed.
Victor Wieczorek, Practice Director for Threat & Attack Simulation at Guide Point Security, noted that some organisations not structured or resourced to patch effectively against Proxy Logon.
“This is because, 1) a lack of accurate asset inventory & ownership information; & 2) lag time to vet patching for negative impacts on the business & gain approval from asset/business owners to patch,” he explained.
“If you do not have an accurate inventory with a high level of confidence, it takes a long time to hunt down affected systems. You have to determine who owns them & if applying the patch would negatively impact the system’s function. Responsible & timely patching takes lots of proactive planning & tracking.”
He added that by regularly testing existing controls (red-teaming), searching for indicators of existing weakness & active threats (threat hunting), & investing/correcting confirmed vulnerabilities (vulnerability management), organisations are going to be in a much better spot to adjust to emerging vulnerabilities & invoke their incident-response capabilities when needed.
Microsoft said in early Mar. that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange servers.
Also, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data & drop malware on target machines for long-term remote access. It’s also apparent that Hafnium isn’t the only party of interest, according to multiple researchers; ESET said earlier in March that at least 10 different APTs are using the exploit.
The sheer volume of APTs mounting attacks, most of them starting in the days before Proxy Logon became publicly known, has created questions as to the exploit’s provenance & ESET researchers asked whether it was shared around the Dark Web on a wide scale.
The APTs seem mainly involved in cyber-espionage & data theft, researchers observed.
“These breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen,” according to F-Secure. “If an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.”
Several versions of the on-premises flavour of Exchange are vulnerable to the 4 bugs, including Exchange 2013, 2016 & 2019. Cloud-based & hosted versions are not vulnerable to Proxy Logon.
Patching is Not Enough
Unfortunately, installing the Proxy Logon security patches alone does not guarantee that a server is secure, because an attacker may have breached it before the update was installed.
“Patching is like closing a door. Therefore, 92% of the doors have been closed. But the doors were open for a relatively long time & known to all the bad actors,” Oliver Tavakoli, CTO at Vectra, explained. “Identifying & remediating already compromised systems will be a lot harder.”
Brandon Wales, the Acting Director for the US Cybersecurity & Infrastructure Security Agency (CISA), observed during a webinar this week that “patching is not sufficient.”
“We know that multiple adversaries have compromised networks prior to patches being applied Wales outlined during a Cipher Brief webinar. He added, “You should not have a false sense of security.
You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a 3rd party if you are not capable of doing that.”
Yonatan Amitay, Security Researcher at Vulcan Cyber, outlined that a successful response to mitigate Microsoft Exchange vulnerabilities should consist of the following things:
- Deploy updates to affected Exchange Servers.
- Investigate for exploitation or indicators of persistence.
- Remediate any identified exploitation or persistence & investigate your environment for indicators of lateral movement or further compromise.
“If for some reason you cannot update your Exchange servers immediately, Microsoft has released instructions for how to mitigate these vulnerabilities through reconfiguration — here, as they recognise that applying the latest patches to Exchange servers may take time and planning, especially if organisations are not on recent versions and/or associated cumulative & security patches,” he stated.
“Note that the mitigations suggested are not substitutes for installing the updates.”
Microsoft also has issued a one-click mitigation & remediation tool for small & medium-sized businesses in light of the ongoing swells of attacks.
Vectra’s Tavakoli noted that the mitigation guides & tools Microsoft has supplied do not necessarily help post-compromise – they are intended to provide mitigation in advance of fully patching the Exchange server.
“The end result of a compromise is reflective of the M.O. of each attack group, & that will be far more variable & less amenable to automated clean-up,” he commented.
Milan Patel, Global Head of MSS for Blue Voyant, commented that identifying follow-on malicious activity after the bad guys have gotten access to a network requires a good inventory of where data is housed.
“Incident response is a critical reactive tool that will help address what data could have been touched or stolen by the bad guys after they gained access to the critical systems,” he outlined. “This is critical, this could mean the difference between a small clean-up effort vs. potential litigation because sensitive data was stolen from the network.”